Candid’s mission is to get grantmakers and nonprofits the information you need to do good. But we recognize that data can also be used to do harm. Over the years, we’ve faced various situations in which we’ve had to remove, anonymize, or otherwise modify data to prevent potential harm. In some cases, we’ve made these changes in response to specific requests from funders that have shared grants data with us. In other, more rare occasions – such as the Taliban’s takeover of Afghanistan in August 2021 – we’ve felt compelled to proactively take action based on changing external circumstances. Along the way, we’ve learned important lessons about balancing data protection and transparency.
When working with grantees, it’s important to understand the type of data you have, be clear about how the data is used, and be proactive so you know what to do in case of an incident. This blog post draws on our own experiences at Candid as well as recent conversations with several funders. While it focuses specifically on grants data, many of the lessons are applicable to other data types as well.
1. Define the Nature of the Risk Involved
Sharing data inevitably carries risks, but not all risks are equal. Central to Candid’s approach to data protection, and to that of the funders I spoke with, are concerns about the risks to people (versus risks to property or organizational reputation, for example). Funders working on sensitive issues and/or in sensitive contexts may rightfully be concerned that sharing data about who they’re funding could put grantees at risk of government or community harassment, unlawful detention, or physical harm, including death. For some funders, those concerns could extend to their own staff as well. Identifying the nature of the risk you’re trying to prevent is a critical part of determining what actions to take.
2. Put Grantees at the Center of Decisions Regarding Their Data
Across the board, the funders I interviewed stressed the importance of their relationships with their grantees, both for identifying and determining how to respond to risks. While funders may have in-country staff or advisors who can flag potential security risks, grantees are often in the best position to assess risk, and especially the risk to them from information being public.
Organizations may react differently to the same situation, something Candid learned in our response to the situation in Afghanistan. Where one grantee might request that their information immediately be treated confidentially, another might feel that such public exposure – a sign of support from the international community – actually brings them safety. And, as another funder noted, the grantee’s decision on information being public or confidential may not be static. “The security calculus can change a lot,” the funder said. Changes in laws and regulations or in political regimes can rapidly turn what used to be a safe situation into an unsafe one.
Funders have different approaches for how to solicit this input from grantees. One funder said they’ve tried to build in as many steps as possible to check in with grantees about how their grants data should be treated. For example, the funder asks about data management in their grant application and during check-in calls. Grantees are not only asked whether they’re comfortable with the information appearing on the funder’s website, but also with the funder talking to other funders about the grantees’ work. An important aspect of these conversations, this funder mentioned, was awareness of power dynamics: “We want to make sure our grantees feel empowered to share or not share.” Another funder said they share project descriptions on their grantee portal, flagging that the information will be public and asking grantees to reach out to the foundation if there is an issue. Depending on the context, another funder seeks approval from grantees before publicly posting their grants data.
3. Have Cybersecurity Policies and Practices in Place
As one funder put it, “When we’ve seen cybersecurity attacks in our sector, it’s not about financial gain. It’s about information about us and our grantees.” Protecting grantees’ data requires asking questions such as:
- How secure is my grants management system? For example, is data encrypted?
- Outside our organization, who has access to our data? Do our vendors have sufficient data protection practices? “You don’t want to create risks based on who you partner with,” said one funder.
- Are staff familiar with our policies? Have they received adequate training?
Funders also have a role to play in helping their grantees in this area. Given the sensitive or controversial areas of work they support, one of the funders I spoke with noted that they’ve started asking, “How can we support grantees with their cybersecurity? What are their needs?”
4. Have a Data Security Response Plan Before You Need It
The moment a serious situation arises is not the ideal moment to figure out a response, as I can share from experience. Because protecting grantee safety is likely to require action across multiple departments within an organization, it’s best to have checklists or guidelines ready in advance to shape your response. Among the questions you may want to address:
What do we need to do to keep grantees safe in different situations?
There is a natural tendency to think of responses to security risks in binary terms: information is either public or confidential. However, for those who believe, as Candid does, that the sector benefits from “the maximum amount of transparency,” a better approach is to calibrate responses to the level of risk. For one of the funders I spoke with, this means having a spectrum of responses that ranges from publicly posting grants on their website all the way to not publicizing the grantee or their work even within the organization.
To some extent, Candid has a front-row seat to this decision-making. Grants data we receive has sometimes been anonymized at the grantee level or provided in aggregate form to further mitigate risk. Sometimes the grantee location or grant descriptions are vague or missing, and other times we know grants have been omitted altogether. Sometimes data comes in this way, and other times we are asked to make changes or deletions after the data has come in. Such nuanced responses may take more work, but they acknowledge the fact that sharing grants data has value.
Who needs to be involved in the response?
The exact answer to this question will depend on each organization’s internal structure. But all the funders I spoke with noted that data protection in their organization involves multiple teams. The same is true at Candid. Among the teams the funders mentioned were IT, legal, operations, grants management, the CEO/executive director, program staff, and communications. Given the number and variety of players involved, it’s important to be clear on who will be involved in decision-making and who will be responsible for what.
Given what may be widespread internal access to grants data, what steps should be taken to prevent sensitive data from being shared?
Much as grantees are not likely to be thinking about where their data is available publicly during a crisis, funder staff with access to a grants database may not have external reporting at the top of their mind when adding or editing grant details. Some funders use different fields to separate grant details that can be public from those that should be kept internal. Others have set up systems to automatically anonymize data when it is being generated for external purposes. Others simply mark grants as public or confidential. Whatever the approach, this is one area where technology can greatly help in minimizing the potential for human error.
Where has this data been shared externally?
When a security situation arises, particularly if the risk is grave, funders will need to do everything they can to “pull back” sensitive information wherever it appears. Funders are continuously asked to share information about their grantmaking, including by Candid. Keeping track of where this data has been shared, whether by program officers, grants management staff, or others, is essential. One funder framed this as having “control and knowledge of which platforms we’re on.”
Always Get Better at Keeping Information Safe
As I shared at the beginning of this blog post, Candid’s mission is to get you the information you need to do good. That means our organization is fully oriented towards pushing information out. It’s why one of the mantras of our grants data sharing program is: “If it shouldn’t be public, don’t share it with us.” But we know that the world can be a complicated and, sadly, dangerous, place for those fighting for change. And we recognize that, while funders are the front-line defenders of their data, as providers of that data we too must do all we can to keep organizations safe. In that endeavor, we view ourselves as a partner to the sector and look forward to continuing to learn from those with more experience than ourselves.
Are you looking for more guidance on how to manage your foundation’s data security? Check out our webinar, Mission-Critical Data Security Best Practices for Grantmaking Organizations, for a discussion between Laia and Ashley Wyand, senior manager, Cyber Security at Blackbaud, about the risks and responsibilities of managing information about grantees and donors.